Hi, You can already do active-active CARP with OpenBSD. I believe it hashes by the MAC address (the MAC hash dictates which firewall responds to an ARP for the gateway IP).
However you may have issues with states and state synchronisation depending on the pps and firewall hardware performance, meaning you might be forced to enable "sloppy" states, or at the very least enable "defer" on pfsync. But allowing sloppy states is bad as it throws away a significant proportion of OpenBSD's awesome TCP security. In short, it is *much* better to buy hardware where each firewall on its own is able to handle the full load, and run in active-backup mode. Generally speaking, I've always found the layer 2 high availability provided by CARP to be rock solid, and if you want to do full stateful firewalling, this is your only sensible choice. If you have no need for full statefull firewalling then you can do active-active at layer 3 using OSPF etc for the HA, and enable defer and sloppy and your all done. It depends on what network feeds you are connected to and what your requirements are. http://www.openbsd.org/papers/pfsync_v5.pdf <http://www.openbsd.org/papers/pfsync_v5.pdf> NB; We run Transtec servers with are just custom built Supermicro servers with a 3.5GHz E5-2609v2 CPU (with only two cores enabled and Turbo Plus enabled giving us two 3.7GHz cores). The highest I have seen these do with 10gig NICs is almost 1Mpps with PF enabled. So their is little excuse for people to complain about OpenBSD PF performance unless you are talking about higher than 10gig networking. But with all the work the devs are doing at the moment freeing up parts of the kernel from the BIG LOCK (http://quigon.bsws.de/papers/2015/asiabsdcon-openbsdupdate/ <http://quigon.bsws.de/papers/2015/asiabsdcon-openbsdupdate/>), it won't be much longer before the Network stack goes MP too (it is happening but its not trivial). After which discussions on throughput and performance really do become a moot point, and instead we'll start seeing big enterprises start using OpenBSD and pushing for things like an Openflow agent ;) So in short, stay active-backup, and sleep better :) Hope this helps. Cheers, Andy. Just for fun; https://events.yandex.com/events/ruBSD/2013/talks/104/ <https://events.yandex.com/events/ruBSD/2013/talks/104/> > On 22 Jun 2015, at 09:08, Romain FABBRI <romain.fab...@alienconsulting.net> wrote: > > Not sure you really want to do that but you could achieve some IP or MAC Load Balancing using this kind of setup : http://www.kernel-panic.it/openbsd/carp/carp4.html > > -----Message d'origine----- > De : owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] De la part de Aviolat Romain > Envoyé : lundi 22 juin 2015 09:40 > À : 'misc@openbsd.org' (misc@openbsd.org) > Objet : HA / load balancing / fail-over using CARP > > Dear OpenBSD community, > > I'll deploy a new redundant firewalls setup in few weeks (waiting for the hardware...). It'll be composed of two 1U supermicro servers and few additional 10GbE nics. > > The idea was to use CARP + pfsync as the fail-over mechanism. > > I already deployed that few time in the past, and we're pretty happy with this setup; maintenance is easy and the setup is rock solid. > > The only disadvantage IMHO is that there is no way to achieve load balancing between the members of the CARP cluster, one machine is always working while the other is idle. I could define some VLANs on top of CARP interfaces to be MASTER on routerA and some on routerB but still it's not real load balancing. > > So before making the same setup again I wanted to have your input about that, maybe I'm not aware of other ways to achieve HA/load-balancing using OpenBSD ? > > Thanks for your help ! > > Romain Aviolat > Senior System Administrator - R&D and ops Infrastructure Kudelski Security - Kudelski Group rte de Genève 22-24, 1033 Cheseaux, SWITZERLAND > +41 21 732 03 79
